CVE-2015-3144

The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80."

Published: Apr 24, 2015
Updated: Apr 13, 2023
CVE: CVE-2015-3144
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:S/C:C/I:C/A:C

CWEs:

CWE-119

Affected Software
References

Software	From	Fixed in
oracle / mysql_enterprise_monitor	-	2.3.20.x
oracle / mysql_enterprise_monitor	-	3.0.22.x
haxx / curl	7.40.0	7.40.0.x
haxx / curl	7.38.0	7.38.0.x
haxx / curl	7.41.0	7.41.0.x
haxx / curl	7.37.1	7.37.1.x
haxx / curl	7.37.0	7.37.0.x
haxx / curl	7.39.0	7.39.0.x
haxx / libcurl	7.37.0	7.37.0.x
haxx / libcurl	7.40.0	7.40.0.x
haxx / libcurl	7.41.0	7.41.0.x
haxx / libcurl	7.38.0	7.38.0.x
haxx / libcurl	7.37.1	7.37.1.x
haxx / libcurl	7.39	7.39.x
canonical / ubuntu_linux	12.04	12.04.x
debian / debian_linux	7.0	7.0.x
canonical / ubuntu_linux	14.10	14.10.x
canonical / ubuntu_linux	14.04	14.04.x
canonical / ubuntu_linux	15.04	15.04.x

Vulnerability Database

289,599

CVE-2015-3144